Email Us

CLDAP Reflection DDoS

The Akamai Security Intelligence Response Team (SIRT) recently identified a new Connection-less Lightweight Directory Access Protocol (CLDAP) reflection and amplification method. This advisory analyzes the capabilities of and potential defenses against this new type of reflection attack.

Authors: Jose Arteaga & Wilber Mejia

1.0 / Overview /

On October 14, 2016, the Akamai Security Operation Center (soc) began mitigating attacks for what was suspected to be Connection-less Lightweight Directory Access Protocol (cldap) reflection. This new reflection and amplification method has since been confirmed by the Akamai Security Intelligence Response Team (sirt) and has been observed producing Distributed Denial of Service (DDoS) attacks, comparable to Domain Name System (dns) reflection in that most exceed 1 Gbps.

Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place. Potential hosts are discovered using internet scans, and filtering User Datagram Protocol (udp) destination port 389, to eliminate the discovery of another potential host fueling attacks. This advisory will cover the distribution of these sources, methods of attack, and target industries observed.

2.0 / Attack Timeline /

Since October 2016, Akamai has detected and mitigated a total of 50 cldap reflection attacks. Of those 50 attack events, 33 were single vector attacks using cldap reflection exclusively. Figure 1 provides a timeline of attacks, showing attack size and detailing if the attack was single or multi-vector.

While the gaming industry is typically the most targeted industry for attacks, observed cldap attacks have mostly been targeting the software & technology industry along with six other industries.

2.1 / Highlighted Attack Attributes /

On January 7, 2017, the largest DDoS attack using cldap reflection as the sole vector was observed and mitigated by Akamai. Attributes of the attack were as follows:

Industry Vertical: Internet & Telecom

Peak Bandwidth: 24 Gigabits per second

Peak Packets per Second: 2 Million Packets per second

Attack Vector: CLDAP

Source Port: 389

Destination Port: Random

Signatures of this attack reveal that it is capable of impressive amplification factors. After the first few waves of attacks using cldap, Akamai sirt was able to obtain sample malicious Lightweight Directory Access Protocol (ldap) reflection queries. The query payload is only 52 bytes and is discussed further in the “attack & cldap overview” section. This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x , although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x.

This 24 Gbps attack was the largest mitigated by Akamai to date. In contrast, the smallest observed attack Akamai has seen using this vector was 300 Mbps, and the average attack bandwidth for a cldap attack has been 3 Gbps.

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.